Security Incidents mailing list archives

Re: Strange Traffic..

From: John Sage <jsage () finchhaven com>
Date: Thu, 29 Nov 2001 21:26:50 -0800

Vinay:

I think this looks like nameserver-to-nameserver dns traffic, seecomments in line..


Vinay Kudithipudi wrote:

Hello Guys,
      Our DNS servers have been getting a lot of strange traffic from
a couple of IP addresses allocated to the Social Security
Administration.

Here is a tcpdump , I did one one of our DNS servers.

07:00:35.988875 199.173.224.20.domain > dns1.domain: 45115 (35)



199.x.x.x:53 sends 35 bytes to dns1:53 with a query number of 45115

07:00:35.989564 dns1.domain > 199.173.224.20.domain: 45115 0/2/1 (100) (DF)

dns1 answers query number 45115 with 100 bytes, zero answer records, 2authoritative records, 1 additional records...

So, what ever it is they think they want, you apparently don't have thespecific IP address, but you may have the relevant nameserver, andyou've got some additional stuff, too...

Now, if it's the *volume* of traffic you're talking about, that's adifferent kind of issue.


I'd try to get in touch with llsmith () ssa gov and ask him "wassup?"


UUNET Technologies, Inc. (NETBLK-UUCBLK170-173)NETBLK-UUCBLK170-173
     199.170.0.0 - 199.173.255.255

Social Security Administration (NETBLK-UU-199-173-224-D2)

UU-199-173-224-D2
     199.173.224.0 - 199.173.231.255


Social Security Administration (NETBLK-UU-199-173-224-D2)
   6401 Security Blvd.
   Baltimore, MD 21235
   US    Netname: UU-199-173-224-D2
   Netblock: 199.173.224.0 - 199.173.231.255

Coordinator:
      Smith, Lionel Lloyd  (LS112-ARIN)  llsmith () ssa gov
      (410) 965-8963 (FAX) (410) 965-4110

Record last updated on 08-Oct-1998.
Database last updated on  29-Nov-2001 19:56:47 EDT.

(I don't think it's necessarily unusual that the data for this specificrecord hasn't changed since 1998..)


- John


<snip>


The other IP's that we are getting this kind of traffic are
199.173.224.2 and 199.173.225.21.

I did a portscan on these IP's using nmap and the only ports open on
these boxes are SMTP and AUTH. Also the output says that the boxes
have been up from 1985!!!

This traffic is killing our servers. I am planning on blocking these
IP's from our routers, but wanted to hear other opinions from this
group. Any help would be appreciated. Thank you.





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Strange Traffic.. Vinay Kudithipudi (Nov 29)
- Re: Strange Traffic.. John Sage (Nov 30)
- <Possible follow-ups>
- RE: Strange Traffic.. NESTING, DAVID M (SBCSI) (Nov 29)
  - Re[2]: Strange Traffic.. Vinay Kudithipudi (Nov 30)
- RE: Re[2]: Strange Traffic.. NESTING, DAVID M (SBCSI) (Nov 30)